Recently, the Department of Health and Human Services (HHS) published a Final Rule, HIPAA Privacy Rule to Support Reproductive Health Care Privacy, in response to the 2023 Notice of Proposed Rule Making and increased state abortion laws since the U.S. Supreme Court decision in Dobbs v. Jackson Women’s Health Organization. The Final Rule aims to strengthen the Health Insurance Portability Act of 1996 (HIPAA) Privacy Rule by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care, described further below.

Compliance Snapshot

  • The Final Rule provides protection for individuals who receive reproductive health care when the care is provided lawfully, without risk of an individual’s identity or health information being disclosed for purposes of state criminal, civil or administrative investigations.
  • An attestation will be required prior to certain disclosures to confirm that the request is not for an improper purpose, effective beginning December 23, 2024.
  • Covered entities, including employer sponsors of self-insured group health plans and insurers, will need to update their Notice of Privacy Practices (NPP) by February 16, 2026, to include these new protections.

Final Rule: Overview

Per the fact sheet, the Final Rule prohibits “the use or disclosure of PHI by a covered health care provider, health plan, or health care clearinghouse—or their business associate—for either of the following activities:

  1. To conduct a criminal, civil, or administrative investigation into or impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care, where such health care is lawful under the circumstances in which it is provided.
  2. The identification of any person for the purpose of conducting such investigation or imposing such liability.

Under the Final Rule, the prohibition applies where a covered health care provider, health plan, or health care clearinghouse (covered entities) or business associate (collectively, “regulated entities”) has reasonably determined that one or more of the following conditions exists:

  1. The reproductive health care is lawful under the law of the state in which such health care is provided under the circumstances in which it is provided.
    • For example, if a resident of one state traveled to another state to receive reproductive health care, such as an abortion, that is lawful in the state where such health care was provided.
  2. The reproductive health care is protected, required, or authorized by Federal law, including the U.S. Constitution, regardless of the state in which such health care is provided.
    • For example, if use of the reproductive health care, such as contraception, is protected by the Constitution.
  3. The reproductive health care was provided by a person other than the covered health care provider, health plan, or health care clearinghouse (or business associates) that receives the request for PHI and the presumption described below applies.”

Attestation Requirement & HIPAA Notice of Privacy Practices Updates

In addition to the above prohibition, the Final Rule requires covered entities (e.g., a group health plan, or its business associates) to obtain an attestation signed by the requestor, noting that such use or disclosure is not prohibited under the final rule. An attestation will apply when requesting PHI for health oversight activities; judicial and administrative proceedings; law enforcement purposes; or disclosures to coroners and medical examiners. HHS intends to publish model attestation language before the effective date of this provision, which is December 23, 2024.

Effective beginning February 16, 2026, group health plans and issuers must have an updated NPP which includes a description (and examples) of the prohibited uses and disclosures of PHI and when an attestation is necessary, among other requirements. HHS intends to publish updated model Notices of Privacy Practices in advance of the effective date of this provision.

Employers who work with Sequoia should note that any related resources will be timely updated to comply with the Final Rule.

Employer Action

While the Final Rule is effective on June 25, 2024, group health plans (and other covered entities) and their business associates will be required to comply with these requirements by December 23, 2024, with updates to the NPP required by February 16, 2026. That said, employers should do the following, dependent on their plan type:

  • Self-insured/level funded group health plans: By February 16, 2026, plan sponsors should review and update their HIPAA Policies and Procedures, NPPs, and business associate agreements (BAAs) to ensure the terms comply with the Final Rule; and update employee HIPAA trainings to address this new prohibition. By December 23, 2024, ensure attestation is obtained before disclosing PHI in the circumstances described above.
  • Fully insured group health plans: By February 16, 2026, plan sponsors should confirm with their carriers that updates to their NPP will be completed.

Sequoia will continue to monitor for further guidance as HHS develops its model attestation and updates to the model NPP.

Additional Resources

Connect with a Sequoia consultant to learn how Sequoia’s compliance services are integrated in our benefits services and tailored solutions. And if you’re already a Sequoia client, stay on top of your employer obligations with your Compliance Checklist that highlights important compliance dates, action items, and resources.

The information and materials on this blog are provided for informational purposes only and are not intended to constitute legal or tax advice. Information provided in this blog may not reflect the most current legal developments and may vary by jurisdiction. The content on this blog is for general informational purposes only and does not apply to any particular facts or circumstances. The use of this blog does not in any way establish an attorney-client relationship, nor should any such relationship be implied, and the contents do not constitute legal or tax advice. If you require legal or tax advice, please consult with a licensed attorney or tax professional in your jurisdiction. The contributing authors expressly disclaim all liability to any persons or entities with respect to any action or inaction based on the contents of this blog. © 2024 Sequoia Consulting Group. All Rights Reserved.